Splunk Search

More help with regex

TheJagoff
Communicator

I am again in need of help with regex. In a scrubbed example (there are thousands more lines) of the following dns log I have the following:

4/13/2016 5:22:38 AM 062C PACKET 000000FE74EC0260 UDP Rcv 999.99.999.999 8088 Q [0001 D NOERROR] A (12)biggersearch(3)ent(4)john(5)local(0)

4/13/2016 5:22:37 AM 062C PACKET 000000FE766DC0A0 UDP Rcv 999.99.999.999 635d Q [0001 D NOERROR] A (3)dns(8)msftncsi(3)com(0)

I need to strip out
(12)biggersearch(3)ent(4)john(5)local(0)
to be
biggersearch.ent.john.local
and
(3)dns(8)msftncsi(3)com(0)

to be
dns.msftncs.com

Please help and many thanks...

Tags (2)
0 Karma
1 Solution

TheJagoff
Communicator

Hi and thank you,

I got the first part of this in my props.conf and I modified it a little and it works perfectly...

\[[^\]]+\]\s+\w*\s+\(\d+\)(?\S+?)\(\d+\)$

I am unsure on how and where to place the remainder of this (I am assuming it goes into transforms.conf?):

s/(\(\d+\))/./g

Please help me finish this up and thank you again...

0 Karma

javiergn
Super Champion

Hi,

Could you post your regex again but using the code button above (the one with 1s and 0s)? Otherwise special characters will be removed.

With regards to your question about props and transforms, see the following links on how to use both files for advanced field extraction.

http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Createandmaintainsearch-timefieldextract...

https://answers.splunk.com/answers/132965/using-transforms-to-replace-raw-data-vs-sedcmd.html

https://answers.splunk.com/answers/210096/how-to-configure-sedcmd-in-propsconf.html

https://answers.splunk.com/answers/119/what-is-role-of-transforms-conf-vs-props-conf-for-field-extra...

Hope that helps.

0 Karma

TheJagoff
Communicator
EXTRACT-url = \[[^\]]+\]\s+\w*\s+\(\d+\)(?<url>\S+?)\(\d+\)$

and my url comes out as

biggersearch(3)ent(4)john(5)local

I am having difficulty getting it to be

biggersearch.ent.john.local

Just unsure as to how to finish it up via transforms.conf

Many thanks and I apologize for being confused on this subject

0 Karma

maciep
Champion

If you're already extracting that in props, maybe just finish up there with an eval, something like this?

EVAL-url = replace(url,"\(\d+\)",".")

The eval should be processed after the extract.

TheJagoff
Communicator

Works like a charm! Thanks to you both for helping me put this all together.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...